People use their Apple Inc. iPhones in front of an Apple store in San Francisco, California, U.S., on Tuesday, April 24, 2012. Apple Inc. profit almost doubled last quarter, reflecting robust demand for the iPhone in China and purchases globally of a new version of the iPad, allaying the growth concerns that sliced shares 12 percent in two weeks. Photographer: David Paul Morris/Bloomberg

Mobile advertisers are working around a new Apple policy that makes it harder to track user activity on iPhones and iPads, in what some see as clear consumer privacy violations.

Last summer, Apple began phasing out developer access to unique device identifiers (UDID), numbers on devices that many companies had used like tracking cookies in Internet browsers, enabling them to monitor activity from app to app and target ads accordingly.

The Cupertino tech giant hasn't addressed its reason for the change and didn't respond to an inquiry from The Chronicle. Some have wondered whether Apple was trying to create an uneven playing field by exclusively using these identifiers for its own ad network, iAd.

But most industry observers believe the company took this step in response to growing concerns over privacy. The change followed reports in the Wall Street Journal and elsewhere highlighting how much information companies had access to via Apple devices, including consumers' location history, personal details and use of other apps.

In one hint that Apple's change was driven by privacy concerns, its guidelines now state that developers should create a unique ID specific to their own app, eliminating access to information beyond the boundaries of the company's product. Recent Apple app rejections have also cited privacy violations.

But many companies aren't content with the limited data left available under a strict reading of the policy. In response, they've devised a handful of new ways to monitor activity outside of their own app, sidestepping the obstacle Apple erected.

Stanford privacy researcher Jonathan Mayer says the tactics echo those employed by Google and several other companies to circumvent the privacy defaults in Apple's Safari browser, a controversial practice he first highlighted in February.

A Google-like practice

Google stopped using this technique after the Journal began reporting on it. The company is reportedly in talks with the Federal Trade Commission over a potentially multimillio-dollar fine for doing it in the first place.

"The similarities are striking," Mayer said. "Apple put in place a privacy protection, and some advertising companies have worked around it."

There are two main approaches so far. The first takes advantage of "pasteboards" in Apple's mobile operating system. These were designed to allow users to copy and paste data from one application to another, but developers discovered they can also employ them to store a unique ID that persists even if an app is closed or the system reboots.

One version of this approach is known as OpenUDID, developed in part by Yann Lechelle, the co-founder of Paris ad network Appsfire.

In an interview, he argued that it can't be assumed Apple made the change for privacy reasons and therefore it's not clear they're violating the spirit of the policy.

He said advertisers must be able to peer outside an app to measure the effectiveness of ads - for instance, whether an ad drove a user to download an app, something known as a "conversion." Without such metrics, the mobile ad economy begins to break down, he said.

"We don't care that the device ID actually was tracked; what we care about is that 20 percent of the clicks became downloads," he said.

Given these concerns, advertisers will push back hard if Apple adopts a strict stance against alternative UDIDs, said Ashkan Soltani, an independent privacy and security researcher. But he believes there's a more appropriate middle ground than the alternatives now being implemented.

"The challenge here is to provide a solution that allows some of the accounting necessary for an ad economy to work while providing the necessary transparency and control to consumers who are concerned about their privacy," Soltani said in an e-mail. "I've been on multiple roundtable debates for how to do this and ultimately it may come down to certain parties (i.e. ad and analytic companies) curbing their appetite for information."

Consumers unaware

The core problem is that consumers are unaware of these tracking mechanisms and don't have control over them, he said.

"Most users would probably be surprised to find that a handful of companies can track their usage across multiple apps, knowing when you run a fitness app, a calorie counter (and) then run a dating app," he said.

The OpenUDID website lists 17 companies supporting or using the standard so far, including Tapjoy, Adfonic, MoPub and Greystripe.

The second main alternative UDID relies on the unique Mac number on the device's Wi-Fi chip, which developers can obtain by digging into the underlying software on which Apple's mobile operating system is based. The ad network Jumptap has publicly embraced this approach, though it said in a blog post it's exploring other options.

Christina Feeney, a Jumptap spokeswoman, didn't address a question about whether this amounts to circumventing an Apple privacy feature, but stressed that the company supports other industry efforts to allow consumers to opt out of targeted ads.

"We're big proponents of giving consumers notice and choice," she said in an e-mail.

For both of these broad alternative approaches, several industry bodies have formed to back competing methods of achieving the desired result. Ad networks are hotly debating not whether they should do this - but which technical approach is superior.

Lechelle argues that developers shouldn't get access to the Mac number because it presents security concerns. Meanwhile, proponents of a competing "pasteboard" approach known as SecureUDID argue that OpenUDID is "fundamentally flawed," because it assigns a single number to the device that all companies can use, rather than different numbers for each.

Lechelle and Soltani agreed that the company best situated to address the concerns on both sides of the debate is Apple itself.

"They are the only one who can implement a proper, global mechanism," Lechelle said. "Until they do, everything else is ad hoc."

Soltani said it's likely Apple will try to craft a solution that balances privacy concerns against the needs of advertisers in the next upgrade of its mobile operating system.

"Under the current regulatory regime, it's clear that the use of persistent tracking with no controls is considered problematic," he said. "I suspect Apple will provide a solution, force everyone to use it and call it a day."